Sql injection and global variables poisoning in XMB Forum 1.9.1

heintz_at_hotmail.com
Date: 08/09/05

  • Next message: Adrocknaphobia: "Bugtraq ID: 14460 : Coldfusion Fusebox V4.1.0 Vulnerability"
    Date: 9 Aug 2005 12:00:00 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) Vendor notified at and partial patch:
    http://forums.xmbforum.com/viewthread.php?tid=754523

    firstly the input validation at xmb.php:

    foreach ($global as $num => $array) {
    if (is_array($array)) {
    extract($array, EXTR_OVERWRITE);
    }
    }

    this should put to not overwrite any variables cause
    it overwrite server set variables too. this creates problems
    when user submits a additional field in form:

    <input type="text" name="_SERVER[REMOTE_ADDR]" value="555.555.555.555">

    secondly there is a case of sql injection in include/u2u.inc.php
    line ~491:
    Code:

    $in = '';
    foreach ( $u2u_select as $value ) {
    if ( $GLOBALS['type'.$value] != 'outgoing' ) {
    $in .= ( empty( $in ) ) ? "$value" : ",$value";
    }
    }
    ...
    $db->query( "UPDATE $table_u2u SET readstatus='no' WHERE u2uid IN($in) AND owner='$self[username]'" );

    the variable $in is not actually validated and could and will cause problems if not fixed.

    Greets #rainbowcrack and http://www.waraxe.us


  • Next message: Adrocknaphobia: "Bugtraq ID: 14460 : Coldfusion Fusebox V4.1.0 Vulnerability"